Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Malware Application Classification based on Feature Extraction and Machine Learning for Malicious Behavior Analysis in Android Platform

안드로이드 플랫폼에서 악성 행위 분석을 통한 특징 추출과 머신러닝 기반 악성 어플리케이션 분류

  • Kim, Dong-Wook (Department of Computer Engineering, GachonUniv) ;
  • Na, Kyung-Gi (Department of Computer Engineering, GachonUniv) ;
  • Han, Myung-Mook (Department of Computer Engineering, GachonUniv) ;
  • Kim, Mijoo (SecurityR&D Team 1, KOREA INTERNET& SECURITY AGENCY) ;
  • Go, Woong (SecurityR&D Team 1, KOREA INTERNET& SECURITY AGENCY) ;
  • Park, Jun Hyung (SecurityR&D Team 1, KOREA INTERNET& SECURITY AGENCY)
  • Received : 2017.12.11
  • Accepted : 2017.12.25
  • Published : 2018.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

This paper is a study to classify malicious applications in Android environment. And studying the threat and behavioral analysis of malicious Android applications. In addition, malicious apps classified by machine learning were performed as experiments. Android behavior analysis can use dynamic analysis tools. Through this tool, API Calls, Runtime Log, System Resource, and Network information for the application can be extracted. We redefined the properties extracted for machine learning and evaluated the results of machine learning classification by verifying between the overall features and the main features. The results show that key features have been improved by 1~4% over the full feature set. Especially, SVM classifier improved by 10%. From these results, we found that the application of the key features as a key feature was more effective in the performance of the classification algorithm than in the use of the overall features. It was also identified as important to select meaningful features from the data sets.

본 논문은 안드로이드 플랫폼에서 악성 어플리케이션을 탐지하기 위한 연구로, 안드로이드 악성 어플리케이션에 대한 위협과 행위 분석에 대한 연구를 바탕으로 머신러닝을 적용한 악성 어플리케이션 탐지를 수행하였다. 안드로이드의 행위 분석은 동적 분석도구를 통해 수행할 수 있으며, 이를 통해 어플리케이션에 대한 API Calls, Runtime Log, System Resource, Network 등의 정보를 추출할 수 있다. 이 연구에서는 행위 분석을 통한 특징 추출을 머신러닝에 적용하기 위해 특징에 대한 속성을 변환하고, 전체 특징에 대한 머신러닝 적용과 특징들의 연관분석을 통한 주성분분석으로 특징간의 상관분석으로 얻은 머신러닝 적용을 수행하였다, 이에 대한 결과로 악성 어플리케이션에 대한 머신러닝 분류 결과는 전체 특징을 사용한 분류 결과보다 주요 특징을 통한 정확도 결과가 약 1~4%정도 향상되었으며, SVM 분류기의 경우 10%이상의 좋은 결과를 얻을 수 있었다. 이 결과를 통해서 우리는 전체적인 특징을 이용하는 것보다, 주요 특징만을 통해 얻을 결과가 전체적인 분류 알고리즘에 더 좋은 결과를 얻을 수 있고, 데이터 세트에서 의미있는 특징을 선정하는 것이 중요하다고 파악하였다.

Keywords

References

  1. http://www.itworld.co.kr/news/104914
  2. https://www.gdata-software.com/news/2017/02/threat-situation-for-mobile-devices-worsens
  3. AhnLab 보안 이슈 : http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=19269.
  4. Yajin Zhou and Xuian Jiang, "Dissecting Android Malware: Characterization and Evolution", In security and Privacy(SP), 2012 IEEE Symposium on, IEEE, pp. 95-109, May, 2012.
  5. http://blog.trendmicro.com/trendlabssecurity-intelligence/a-look-into-repackaged-apps-and-its-role-in-the-mobile-threat-landscape/
  6. Google Mobile Blog, "Android and Security", 2012.
  7. 김기현, 함효식, 최미정, "SVM을 이용한 안드로이드 기반의 악성코드 탐지", 제 40회 정보처리학회 추계종합학술대회, 2013.
  8. Shabtai, Asaf, et al. ""Andromaly": a behavioral malware detection framework for android devices." Journal of Intelligent Information Systems 38.1, pp. 161-190, 2012. https://doi.org/10.1007/s10844-010-0148-x
  9. Burguera, Iker, Urko Zurutuza, and Simin Nadjm-Tehrani. "Crowdroid: behavior-based malware detection system for android.", Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, pp. 15-26, 2011.
  10. Liu, Lei, et al. "VirusMeter: Preventing Your Cellphone from Spies.", RAID. Vol. 5758. pp. 244-264, 2009.
  11. Cheng, Jerry, et al. "Smartsiren: virus detection and alert for smartphones.", Proceedings of the 5th international conference on Mobile systems, applications and services. ACM, pp. 258-271, 2007.
  12. Castillo, C. "Spitmo vs Zitmo: Banking Trojans Target Android.", 2011.
  13. Z. Yajin and J. Xuxian, "Dissecting android malware: Characterization and evolution,", Proceedings of 33rd IEEE Symp Security Privacy, Oakland, CA, USA, pp. 95-109. 2012.
  14. C. A. Castillo, "Android malware past, present, future", Mobile Working Security Group McAfee, Santa Clara, CA, USA, Tech. Rep. 2012.
  15. Kim Jun-Hyoung, Im Eul-Gyu. "Androguard: Similarity Analysis for Android Application Binaries.", Korea Computer Congress, pp. 101-103, 2014
  16. SAHS, Justin; KHAN, Latifur. "A machine learning approach to android malware detection", In: european Intelligence and security informatics conference (eisic), IEEE, pp. 141-147, 2012.
  17. Yuan, Zhenlong, et al. "Droid-Sec: deep learning in android malware detection", ACM SIGCOMM Computer Communication Review. Vol. 44. No. 4. ACM, pp. 371-372, 2014. https://doi.org/10.1145/2740070.2631434
  18. Narudin, Fairuz Amalina, et al. "Evaluation of machine learning classifiers for mobile malware detection", Soft Computing 20.1, pp. 343-357, 2016. https://doi.org/10.1007/s00500-014-1511-6
  19. Seungwook Min, Hyungjin Cho, Jinseop Shin, Jaecheol Ryou, "Android Malware Analysis and Detection Method Using Machine Learning", Journal of KIISE : Computing Practices and Letters, 19(2), pp. 95-99, 2013.
  20. Yun-sik Jeong, Seong-wook Kang, Seong-je Cho and In-sik Song, "A Kernel-based Monitoring Approach for Analyzing Malicious behavior on Android," Korea Computer Congress, pp. 127-129, Jun. 2013
  21. Jae-sung Yun, Jae-wook Jang, Huy Kang Kim, "Andro-profiler: Anti-malware system based on behavior profiling of mobile malware", Journal of the Korea Institute of Information Security & Cryptology, 24(1), pp. 145-154, 2014. https://doi.org/10.13089/JKIISC.2014.24.1.145
  22. https://koodous.com/